1 Answer
1

As discussed earlier, when using FileVault 2 (FDE), the initial authentication takes place as part of the EFI pre-boot authentication
process. At this very early stage of the boot phase, none of the
OS-reliant services are able to load because they’re dependent on the
OS running. This means that alternative authentication mechanisms
other than password-based authentication aren’t supported at this
time. Any support for additional two-factor authentication
mechanisms, such as smart cards or one-time passwords (OTP), requires
further development of those services in the highly restricted space
and execution of EFI. If an organization needs to use smart cards for
authenticating and unlocking access to encrypted storage, use of
container-based Legacy FileVault should be examined more closely.